Saturday, December 24, 2011

[Quick Notes] Nmap's way of probing targets

Reading up on Nmap. Thought of sharing this quick post.

Nmap probes a target before scanning it for open ports and services. Nmap address probing works as follows:-

For root / administrator users
-> If the attacker / scanning box is on the same subnet as the target, then nmap will only out ARP requests.

However if attacker sits on a different subnet than the target, then nmap will send
-> ICMP Echo Request
-> TCP SYN to port 443
-> TCP ACK to port 80
-> ICMP Timestamp Request [Type 13]
Note that Nmap sends out ALL 4 probe packets at once; it does not wait to receive response to ICMP Echo Request.

For non-root / non-administrative users
Nmap will simply start a 3-way handshake by sending
-> TCP SYN to port 80
-> TCP ACK to port 443
It does NOT send any ICMP packet.

No comments:

Post a Comment


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.